details: http://hg.nginx.org/nginx/rev/fcecb9c6a057
branches:
changeset: 5428:fcecb9c6a057
user: Maxim Dounin <mdou...@mdounin.ru>
date: Fri Oct 18 18:13:49 2013 +0400
description:
Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.
The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).
Patch by Jan Marc Hoffmann.
diffstat:
src/http/ngx_http_core_module.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diffs (14 lines):
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1144,7 +1144,9 @@ ngx_http_core_access_phase(ngx_http_requ
}
if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
- r->access_code = rc;
+ if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+ r->access_code = rc;
+ }
r->phase_handler++;
return NGX_AGAIN;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
